[dns-operations] RFC2308, negative answer caching, and the largest gTLDs

Thu Mar 8 04:25:30 UTC 2018

"Whenever a RR is sent in a response to a query, the TTL field is set to
the maximum of the TTL field from the RR and the MINIMUM field in the
appropriate SOA."

Is it, though? It doesn't appear so:

$ dig @a.gtld-servers.net com SOA +noall +ans | tail -1
com.            900    IN    SOA    a.gtld-servers.net.
nstld.verisign-grs.com. 1520482920 1800 900 604800 86400

Perhaps what you mean is that any NXDOMAIN or other negative response
contains the maximum from the tuple (SOA MIN/SOA TTL).

However, that doesn't appear to be the case:

dig @a.gtld-servers.net
this-domain-name-surely-does-not-exist-4u33284732432.com SOA  +noall +auth
| tail -1
com.            900    IN    SOA    a.gtld-servers.net.
nstld.verisign-grs.com. 1520483055 1800 900 604800 86400

So my question remains: Why would one ever set the SOA's TTL to a value
less than SOA MIN? Why do we do so for the largest gTLDs?

Andrew

On Wed, Mar 7, 2018 at 4:54 PM, Mats Dufberg <mats.dufberg at iis.se> wrote:

> RFC 1035 (https://tools.ietf.org/html/rfc1035) says on page 20
>
>
>
> Whenever a RR is sent in a response to a
>
> query, the TTL field is set to the maximum of the TTL field from the RR
>
> and the MINIMUM field in the appropriate SOA.  Thus MINIMUM is a lower
>
> bound on the TTL field for all RRs in a zone.  Note that this use of
>
> MINIMUM should occur when the RRs are copied into the response and not
>
> when the zone is loaded from a master file or via a zone transfer.
>
>
>
> This means that there could be a value of keeping SOA TTL lower than SOA
> MINIMUM to make negative caching shorter than normal caching.
>
>
>
> I am not sure, however, that bind has implemented it in this way. I think
> that it respects whatever TTL that you have set on the RRs in the zone file
> independent on the SOA MINIMUM. I cannot find any RFC changing the
> specification, however.
>
>
>
> Mats
>
>
>
> ---
>
> Mats Dufberg
>
> DNS Specialist, IIS
>
> Mobile: +46 73 065 3899 <+46%2073%20065%2038%2099>
>
> https://www.iis.se/en/
>
>
>
> *From: *dns-operations <dns-operations-bounces at dns-oarc.net> on behalf of
> Andrew White <andrew at vivalibre.com>
> *Date: *Wednesday 7 March 2018 at 20:02
> *To: *"dns-operations at dns-oarc.net" <dns-operations at dns-oarc.net>
> *Subject: *[dns-operations] RFC2308, negative answer caching, and the
> largest gTLDs
>
>
>
> Hi all,
>
> As we Shirley all often do, I was browsing RFC2308 (
> https://tools.ietf.org/html/rfc2308 ) and noticed that a caching resolver
> is supposed to cache negative answers for "x" seconds, where x is the lower
> of these two values: SOA MIN field and SOA TTL.
>
> The excerpt in question (emphasis mine):
>
>    Name servers authoritative for a zone MUST include the SOA record of
>
>    the zone in the authority section of the response when reporting an
>
>    NXDOMAIN or indicating that no data of the requested type exists.
>
>    This is required so that the response may be cached.  *The TTL of this*
>
> *   record is set from the minimum of the MINIMUM field of the SOA record*
>
> *   and the TTL of the SOA itself, and indicates how long a resolver may*
>
> *   cache the negative answer.*  The TTL SIG record associated with the
>
>    SOA record should also be trimmed in line with the SOA's TTL.
>
>
>
> I posit that this implies that a given zone's SOA TTL and SOA MIN should
> generally be the same.
>
> However, com/net/org have 900 for SOA TTL and 86400 for SOA MIN. Why?
>
> Andrew
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20180307/2b896828/attachment.html>